Re: ClamAV And unrar - Bug #465207

To: debian-security@lists.debian.org
Subject: Re: ClamAV And unrar - Bug #465207
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Thu, 28 Feb 2008 03:40:59 +0000
Message-id: <[🔎] 47C62D4B.6030409@glimmer.demon.co.uk>
In-reply-to: <[🔎] 200802272145.15437.sf@sfritsch.de>
References: <[🔎] 47C4CCA7.4070902@glimmer.demon.co.uk> <[🔎] 200802272145.15437.sf@sfritsch.de>

Stefan Fritsch wrote:

On Wednesday 27 February 2008, Nick Boyce wrote:

But it seems to me that simply enabling the --unrar parameter of
clamscan would not entail incorporating or distributing any unrar
code at all - the code to parse the --unrar parameter and call the
non-free unrar binary if specified surely belongs to ClamAV alone ?
Note that unrar-nonfree has no security support (like all packages innon-free) . Using it to automatically process potentially maliciouscontent is a bad idea, IMHO. In fact, unrar-nonfree in stable had asecurity issue until the release of etch r3 (CVE-2007-0855).

Ah ... damn, didn't realise that - a bit like Ubuntu's "universe" Isuppose ... security fixes not guaranteed, but are possible as thesource is available.

Don't know what to do now, especially as this is currently still a Sargesystem :-( I might just disable RAR scanning till I upgrade it.


Thanks for the heads up.
Nick Boyce
--
The owls are not what they seem.

Reply to:

References:
- ClamAV And unrar - Bug #465207
  - From: Nick Boyce <nick@glimmer.demon.co.uk>
- Re: ClamAV And unrar - Bug #465207
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Re: ClamAV And unrar - Bug #465207
Next by Date: Re: ClamAV And unrar - Bug #465207
Previous by thread: Re: ClamAV And unrar - Bug #465207
Next by thread: strange unhide-linux26 output
Index(es):
- Date
- Thread